CVE-2007-6286

Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.

Published: Feb 12, 2008
Updated: Apr 13, 2023
CVE: CVE-2007-6286
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
apache / tomcat	5.5.18	5.5.18.x
apache / tomcat	6.0.6	6.0.6.x
apache / tomcat	6.0.11	6.0.11.x
apache / tomcat	5.5.12	5.5.12.x
apache / tomcat	5.5.14	5.5.14.x
apache / tomcat	6.0.7	6.0.7.x
apache / tomcat	5.5.11	5.5.11.x
apache / tomcat	6.0.4	6.0.4.x
apache / tomcat	5.5.20	5.5.20.x
apache / tomcat	5.5.15	5.5.15.x
apache / tomcat	6.0.15	6.0.15.x
apache / tomcat	5.5.21	5.5.21.x
apache / tomcat	5.5.22	5.5.22.x
apache / tomcat	6.0.10	6.0.10.x
apache / tomcat	6.0.3	6.0.3.x
apache / tomcat	6.0.9	6.0.9.x
apache / tomcat	5.5.25	5.5.25.x
apache / tomcat	6.0.0	6.0.0.x
apache / tomcat	6.0.14	6.0.14.x
apache / tomcat	5.5.13	5.5.13.x
apache / tomcat	6.0.1	6.0.1.x
apache / tomcat	6.0.12	6.0.12.x
apache / tomcat	5.5.24	5.5.24.x
apache / tomcat	5.5.16	5.5.16.x
apache / tomcat	6.0.5	6.0.5.x
apache / tomcat	5.5.17	5.5.17.x
apache / tomcat	5.5.19	5.5.19.x
apache / tomcat	6.0.2	6.0.2.x
apache / tomcat	6.0.13	6.0.13.x
apache / tomcat	5.5.23	5.5.23.x
apache / tomcat	6.0.8	6.0.8.x

Vulnerability Database

289,599

CVE-2007-6286